Thursday, 7 April 2016

Linux Unified Key Setup-on-disk-format (or LUKS) - Disk Encryption in Linux


Let us talk about something on security hardening in Linux. the first topic come to mind is Disk encryption. The risk of a system's physical compromise, particularity mobile system such as laptops,puts sensitive data at risk of compromise. Encrypting the data mitigates the risk of its exposure if the system is lost. 
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.


What LUKS does:
  1. LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
  2. The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.
  3. LUKS uses the existing device mapper kernel subsystem.
  4. LUKS provides passphrase strengthening which protects against dictionary attacks.
  5. LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.

What LUKS does not do:
  1. LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
  2. LUKS is not well-suited for applications requiring file-level encryption.
Let us talk about to configure Disk encryption in Linux. If you want to configure the Disk encryption at the time of OS installation you could select the "Encrypt my data" check box in Disk partitioning section in the install screen.




















When performing automated installation using ,kickstart can create a encrypted partitions. Use --encrypted and --passphrase= options for each partition to be encrypted.For example, the following line would encrypt the /home partition.

part /home --fstype=ext4 --size=10000 --onpart=vda2 --encrypted --passphrase=PASSPHRASE

Note the passphrase,PASSPHRASE,is stored in the kickstart profile in plaintext. so the kickstart profile must be secured. Omitting the --passphrase= option will cause the installer to pause and ask for the passphrase during installation.

Here is the steps to configure encrypted volume after OS installation. First check the cryptsetup utility is installed in the server or not.if not installed, then install it using yum or rpm commands.

cryptsetup-1.6.6-3.el7.x86_64 : A utility for setting up encrypted disks

Create either a a physical disk or a new logical volume. Here i am using /dev/sdb1 for creating a encrypted partition. Run the following command to create the encrypted partition. it will ask the Confirmation and then you need to put the passphrase to access the partition.

#cryptsetup luksFormat /dev/sdb1














Now to access the Encrypted partition. you need to assign a logical name using the following command. it will ask you the passphrase.
#crypsetup luksOpen /dev/sdb1 name




Create a filesystem in the decrypted volume.
#mkfs -t ext4 /dev/mapper/name

























Create mountpoint for the filesystem,mount it, then access the contents.

















When finished, unmount the filesystem then lock the encrypted volume.
# umount /mountpoint
# cryptsetup luksClose name






All Good ! Thats all you need to know to configure an encrypted volume. However, if a LUKS partition is created at the installation time, normal system operation prompts the users for the LUKS passphrase at the boot time. this is fine with a desktop or Laptop, but not for the server that may need to be able to reboot unattended.
To boot a server with an encrypted volume unattended, a file must be created with a LUKS key that will unlock the encrypted volume. This file must be presented in a unencrypted filesystem on the disk. Ofcourse this presents a security risk if the filesystem is on the same disk as the encrypted volume because theft of the disk would include the key need to unlock the encrypted volume, Typically the file with the key is stored in a removable media such as a USB key.

Here is the steps to configure a system to persistently mount an encrypted volume without human intervention .
Locate or generate a key file. This is typically created with random data on the server and kept in a separate storage device. Make sure that this file is owned by root and permission is 600










Add the key file to LUKS using the following command. and provide a passphrase used to unlock the encrypted volume when prompted.
# cryptsetup luksAddKey /dev/sdb1 /root/keyfile





Create a /etc/crypttab entry for the volume . /etc/crypttab contains a list of devices to be unlocked during system boot.





Add an entry in /etc/fstab like the following.















Note: Name given in /etc/fstab (data) must match the name chosen in /etc/crypttab.
That’s all! I will be coming up with few more interesting articles on Linux, till then stay tuned to Learn linux and don’t forget to add your valuable comments

No comments:

Post a Comment